Keys to Use in Your Queries
Also referred to as fields, keys define the data in your logs. Each event type contains a specific set of keys. Keys are the constant, while the values of a key can vary.
This topic contains the list of keys that occur in each standard event type in SIEM (InsightIDR). This is known as the schema; the data structure that allows data to be read by the application.
It is helpful to know which keys you want to search in Log Search, so that you can create queries on the key-value pair and easily find the data you need for your investigation.
It is also helpful to know which type of data the values are presented in–are they strings, timestamps, or numbers, for example–so that you can create precise queries to search them.
Most event types go to both Log Search and the Detection Engine, however, some event types are solely detection-based. There are also some schemas that do not have associated event types, which are part of the Audit Log.
Log Search and detection-based event types
All event types contain keys that can be referenced in your Log Search queries. The lists under each event type display one key on each line and the format of its corresponding value.
ℹ️
entry_id
Each log line includes entry_id, which is a unique identifier assigned to every log line ingested into Log Search. It serves as a reliable reference point, allowing you to quickly locate, correlate, and act on specific events across your environment. By including the entry_id in search queries or automation workflows, you can efficiently trace alerts back to individual log lines, reduce investigation time, and maintain consistent references in audit trails or incident documentation.
For example, "action": "STRING" refers to a field or key named ‘action’ and the type of data it contains-in this case, it’s a string of alphanumeric characters.
When you know which key you want to investigate, you can find the corresponding log set to select in Log Search.
This section contains the event types and keys that correspond to the log sets that are visible in Log Search. It also includes the event types and keys that inform the logic on which Detection Rules are created.
In the user interface, the Rules Logic tab of the Detection Rules screen specifies the source event type that the detection rule will monitor. For example, look at the from parameter in the rule logic.
from(
event_type = "third_party_alert"
)ℹ️
The order of keys in the list
This documentation lists the event type keys in alphabetical order for easy reference. The user interface may show them in a different order.
The keys are presented in a list format, which shows parent fields and child fields where they exist. This can help you to search keys by using the query syntax where(parentfield.childfield="value").
Active Directory Admin Activity
ad_admin
| Key | Value format |
|---|---|
| action | STRING |
| group | STRING |
| group_domain | STRING |
| group_scope | STRING |
| r7_context | |
| source_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| target_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| source_account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| target_account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_account | STRING |
| source_asset | STRING |
| source_data | STRING |
| source_json | {} |
| source_user | STRING |
| source_user_domain | STRING |
| target_account | STRING |
| target_user | STRING |
| target_user_domain | STRING |
| timestamp | TIMESTAMP |
| entry_id | STRING |
Active Directory Admin Activity event type code block
{
"action": "STRING",
"group": "STRING",
"group_domain": "STRING",
"group_scope": "STRING",
"r7_context": {
"source_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"target_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"source_account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"target_account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"source_account": "STRING",
"source_asset": "STRING",
"source_data": "STRING",
"source_json": {{}},
"source_user": "STRING",
"source_user_domain": "STRING",
"target_account": "STRING",
"target_user": "STRING",
"target_user_domain": "STRING"
"timestamp": "TIMESTAMP",
"entry_id": "STRING"
}Advanced Malware Alert
advanced_malware
| Key | Value format |
|---|---|
| asset | STRING |
| alert_name | STRING |
| custom_data | {} |
| destination_address | STRING |
| destination_port | STRING |
| destination_user | STRING |
| destination_user_domain | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| protocol | STRING |
| r7_context | |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| secondary_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| secondary_asset | STRING |
| severity | STRING |
| signature_name | STRING |
| source_address | STRING |
| source_data | STRING |
| source_port | STRING |
| source_user | STRING |
| source_user_domain | STRING |
| timestamp | TIMESTAMP |
| entry_id | STRING |
Advanced Malware Alert event type code block
{
"asset": "STRING",
"alert_name": "STRING",
"custom_data": {},
"destination_address": "STRING",
"destination_port": "STRING",
"destination_user": "STRING",
"destination_user_domain": "STRING"
"geoip_city": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"geoip_region": "STRING",
"protocol": "STRING",
"r7_context": {
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"source_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"secondary_asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"destination_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
}
},
"secondary_asset": "STRING",
"severity": "STRING",
"signature_name": "STRING",
"source_address": "STRING",
"source_data": "STRING",
"source_port": "STRING",
"source_user": "STRING",
"source_user_domain": "STRING",
"timestamp": "TIMESTAMP",
"entry_id": "STRING"
}Asset Authentication
asset_auth
| Key | Value format |
|---|---|
| destination_account | STRING |
| destination_account_sid | STRING |
| destination_asset | STRING |
| destination_asset_address | STRING |
| destination_domain | STRING |
| destination_local_account | STRING |
| destination_user | STRING |
| logon_type | STRING |
| new_authentication | STRING |
| new_source_authentication | STRING |
| new_source_for_account | STRING |
| r7_context | |
| source_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| destination_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| result | STRING |
| service | STRING |
| source_account | STRING |
| source_asset | STRING |
| source_asset_address | STRING |
| source_data | STRING |
| source_domain | STRING |
| source_json | {} |
| source_user | STRING |
| timestamp | TIMESTAMP |
| entry_id | STRING |
Asset Authentication event type code block
{
"destination_account": "STRING",
"destination_account_sid": "STRING",
"destination_asset": "STRING",
"destination_asset_address": "STRING",
"destination_domain": "STRING",
"destination_local_account": "STRING",
"destination_user": "STRING",
"logon_type": "STRING",
"new_authentication": "STRING",
"new_source_authentication": "STRING"
"new_source_for_account": "STRING",
"r7_context": {
"source_asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"destination_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"destination_asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"destination_account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"result": "STRING",
"service": "STRING",
"source_account": "STRING",
"source_asset": "STRING",
"source_asset_address": "STRING",
"source_data": "STRING",
"source_domain": "STRING",
"source_json": {},
"source_user": "STRING",
"timestamp": "TIMESTAMP",
"entry_id": "STRING"
}Cloud Service Activity
cloud_service_activity
| Key | Value format |
|---|---|
| action | STRING |
| service | STRING |
| source_account | STRING |
| source_json | {} |
| source_user | STRING |
| timestamp | TIMESTAMP |
| user_agent | STRING |
| entry_id | STRING |
Cloud Service Activity event type code block
{
"action": "STRING",
"service": "STRING",
"source_account": "STRING"
"source_json": {},
"source_user": "STRING",
"timestamp": "TIMESTAMP",
"user_agent": "STRING",
"entry_id": "STRING"
}Cloud Service Admin Activity
cloud_service_admin
| Key | Value format |
|---|---|
| action | STRING |
| service | STRING |
| source_account | STRING |
| source_json | {} |
| source_user | STRING |
| target_account | STRING |
| target_user | STRING |
| timestamp | TIMESTAMP |
| user_agent | STRING |
| entry_id | STRING |
Cloud Service Admin Activity event type code block
{
"action": "STRING",
"service": "STRING",
"source_account": "STRING",
"source_json": {},
"source_user": "STRING",
"target_account": "STRING"
"target_user": "STRING",
"timestamp": "TIMESTAMP",
"user_agent": "STRING",
"entry_id": "STRING"
}DNS Query
dns
| Key | Value format |
|---|---|
| asset | STRING |
| custom_data | {} |
| dns_server_port | STRING |
| dns_server_address | STRING |
| public_suffix | STRING |
| query | STRING |
| query_blocked | STRING |
| query_class | STRING |
| query_type | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_address | STRING |
| source_data | STRING |
| source_port | STRING |
| top_private_domain | STRING |
| timestamp | TIMESTAMP |
| user | STRING |
| observation_count | NUMERIC |
| first_observed_time | TIMESTAMP |
| last_observed_time | TIMESTAMP |
| user_domain | STRING |
| entry_id | STRING |
This event type contains deduplicated data.
DNS Query event type code block
{
"asset": "STRING",
"custom_data": {},
"dns_server_port": "STRING",
"dns_server_address": "STRING",
"public_suffix": "STRING",
"query": "STRING",
"query_blocked": "STRING",
"query_class": "STRING",
"query_type": "STRING",
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"source_address": "STRING",
"source_data": "STRING",
"source_port": "STRING",
"top_private_domain": "STRING"
"timestamp": "TIMESTAMP",
"user": "STRING",
"observation_count": "NUMERIC",
"first_observed_time": "TIMESTAMP",
"last_observed_time": "TIMESTAMP",
"user_domain": "STRING",
"entry_id": "STRING"
}Endpoint Activity
Process Start Event
process_start_event
| Key | Value format |
|---|---|
| dns_domain | STRING |
| duplicated_events | LONG |
| endpoint_id | STRING |
| endpoint_vendor | STRING |
| env_vars | |
| var | STRING |
| val | STRING |
| parent_val | STRING |
| hostname | STRING |
| os_type | STRING |
| parents_process | |
| account_domain | STRING |
| addr | STRING |
| cmd_line | STRING |
| egid | NUMERIC |
| egid_name | STRING |
| euid | NUMERIC |
| euid_name | STRING |
| exe_file | |
| author | STRING |
| countersigning_chain | |
| subject | STRING |
| issue | STRING |
| thumbprint | STRING |
| created | STRING |
| description | STRING |
| gid | NUMERIC |
| group | STRING |
| hashes | |
| md5 | STRING |
| sha256 | STRING |
| sha1 | STRING |
| internal_name | STRING |
| last_accessed | STRING |
| last_modified | STRING |
| orig_filename | STRING |
| owner | STRING |
| permissions | STRING |
| product_name | STRING |
| signing_chain | |
| subject | STRING |
| issuer | STRING |
| thumbprint | STRING |
| signing_status | STRING |
| size | LONG |
| uid | NUMERIC |
| version | STRING |
| exe_path | STRING |
| fsgid | NUMERIC |
| fsuid | NUMERIC |
| gid | NUMERIC |
| group | STRING |
| hash_reputation | |
| engine_count | NUMERIC |
| engine_match | NUMERIC |
| engine_percent | DOUBLE |
| first_analyzed_time | STRING |
| reliability | STRING |
| reputation | STRING |
| threat_level | STRING |
| img_path | STRING |
| name | STRING |
| pid | NUMERIC |
| port | NUMERIC |
| ppid | NUMERIC |
| r7_id | STRING |
| rgid | NUMERIC |
| rgid_name | STRING |
| ruid | NUMERIC |
| ruid_name | STRING |
| session | NUMERIC |
| sgid | NUMERIC |
| start_time | STRING |
| suid | NUMERIC |
| uid | NUMERIC |
| username | STRING |
| process | |
| account_domain | STRING |
| addr | STRING |
| cmd_line | STRING |
| egid | NUMERIC |
| egid_name | STRING |
| euid | NUMERIC |
| euid_name | STRING |
| exe_file | |
| author | STRING |
| countersigning_chain | |
| subject | STRING |
| issuer | STRING |
| thumbprint | STRING |
| created | STRING |
| description | STRING |
| gid | NUMERIC |
| group | STRING |
| hashes | |
| md5 | STRING |
| sha256 | STRING |
| sha1 | STRING |
| internal_name | STRING |
| last_accessed | STRING |
| last_modified | STRING |
| orig_filename | STRING |
| owner | STRING |
| permissions | STRING |
| product_name | STRING |
| signing_chain | |
| subject | STRING |
| issuer | STRING |
| thumbprint | STRING |
| signing_status | STRING |
| size | LONG |
| uid | NUMERIC |
| version | STRING |
| exe_path | STRING |
| fsgid | NUMERIC |
| fsuid | NUMERIC |
| gid | NUMERIC |
| group | STRING |
| hash_reputation | |
| engine_count | NUMERIC |
| engine_match | NUMERIC |
| engine_percent | DOUBLE |
| first_analyzed_time | STRING |
| reliability | STRING |
| reputation | STRING |
| threat_level | STRING |
| img_path | STRING |
| name | STRING |
| pid | NUMERIC |
| port | NUMERIC |
| r7_id | STRING |
| rgid | NUMERIC |
| rgid_name | STRING |
| ruid | NUMERIC |
| ruid_name | STRING |
| session | LONG |
| sgid | NUMERIC |
| start_time | STRING |
| suid | NUMERIC |
| uid | NUMERIC |
| username | STRING |
| r7_hostid | STRING |
| entry_id | STRING |
Endpoint Activity, process_start_event event type code block
{
"dns_domain": "STRING",
"duplicated_events": "LONG",
"endpoint_id": "STRING",
"endpoint_vendor": "STRING",
"env_vars": [
{
"var": "STRING",
"val": "STRING",
"parent_val": "STRING"
}
],
"hostname": "STRING",
"os_type": "STRING",
"parent_process":{
"account_domain": "STRING",
"addr": "STRING",
"cmd_line": "STRING",
"egid": "NUMERIC",
"egid_name": "STRING",
"euid": "NUMERIC",
"euid_name": "STRING",
"exe_file": {
"author": "STRING",
"countersigning_chain": [
{
"subject": "STRING",
"issuer": "STRING",
"thumbprint": "STRING"
}
],
"created": "STRING",
"description": "STRING",
"gid": "NUMERIC",
"group": "STRING",
"hashes":{
"md5": "STRING",
"sha256": "STRING",
"sha1": "STRING"
},
"internal_name": "STRING",
"last_accessed": "STRING",
"last_modified": "STRING",
"orig_filename": "STRING",
"owner": "STRING",
"permissions": "STRING",
"product_name": "STRING",
"signing_chain": [
{
"subject": "STRING",
"issuer": "STRING",
"thumbprint": "STRING"
}
],
"signing_status": "STRING",
"size": "LONG",
"uid": "NUMERIC",
"version": "STRING"
},
"exe_path": "STRING",
"fsgid": "NUMERIC",
"fsuid": "NUMERIC",
"gid": "NUMERIC",
"group": "STRING",
"hash_reputation": {
"engine_count": "NUMERIC",
"engine_match": "NUMERIC",
"engine_percent": "DOUBLE",
"first_analyzed_time": "STRING",
"reliability": "STRING",
"reputation": "STRING",
"threat_level": "STRING"
},
"img_path": "STRING",
"name": "STRING",
"pid": "NUMERIC",
"port": "NUMERIC",
"ppid": "NUMERIC",
"r7_id": "STRING",
"rgid": "NUMERIC",
"rgid_name": "STRING",
"ruid": "NUMERIC",
"ruid_name": "STRING",
"session": "LONG",
"sgid": "NUMERIC",
"start_time": "STRING",
"suid": "NUMERIC",
"uid": "NUMERIC",
"username": "STRING"
}
},
"process": {
"account_domain": "STRING",
"addr": "STRING",
"cmd_line": "STRING",
"egid": "NUMERIC",
"egid_name": "STRING",
"euid": "NUMERIC",
"euid_name": "STRING",
"exe_file": {
"author": "STRING",
"countersigning_chain": [
{
"subject": "STRING",
"issuer": "STRING",
"thumbprint": "STRING"
}
],
"created": "STRING",
"description": "STRING",
"gid": "NUMERIC",
"group": "STRING",
"hashes": {
"md5": "STRING",
"sha256": "STRING",
"sha1": "STRING"
},
"internal_name": "STRING",
"last_accessed": "STRING",
"last_modified": "STRING",
"orig_filename": "STRING",
"owner": "STRING",
"permissions": "STRING",
"product_name": "STRING",
"signing_chain": [
{
"subject": "STRING",
"issuer": "STRING",
"thumbprint": "STRING"
}
],
"signing_status": "STRING",
"size": "LONG",
"uid": "NUMERIC",
"version": "STRING"
},
"exe_path": "STRING",
"fsgid": "NUMERIC",
"fsuid": "NUMERIC",
"gid": "NUMERIC",
"group": "STRING",
"hash_reputation": {
"engine_count": "NUMERIC",
"engine_match": "NUMERIC",
"engine_percent": "DOUBLE",
"first_analyzed_time": "STRING",
"reliability": "STRING",
"reputation": "STRING",
"threat_level": "STRING"
},
"img_path": "STRING",
"name": "STRING",
"pid": "NUMERIC",
"port": "NUMERIC",
"r7_id": "STRING",
"rgid": "NUMERIC",
"rgid_name": "STRING",
"ruid": "NUMERIC",
"ruid_name": "STRING",
"session": "LONG",
"sgid": "NUMERIC",
"start_time": "STRING",
"suid": "NUMERIC",
"uid": "NUMERIC",
"username": "STRING"
}
},
"r7_hostid": "STRING"
"entry_id": "STRING"
}Netbios Poisoning
netbios_poisoning
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| poisoner_asset | STRING |
| observing_asset | STRING |
| poisoner_address | STRING |
| protocol | STRING |
| queried_hostname | STRING |
| source_json | |
| protocol | STRING |
| poisonerAddresses | STRING |
| queriedHostname | STRING |
| agentHostname | STRING |
| r7_context | |
| poisoner_asset | |
| type | STRING |
| rrn | RRN |
| name | STRING |
| observing_asset | |
| type | STRING |
| rrn | RRN |
| name | STRING |
| entry_id | STRING |
Endpoint Activity, netbios_poisoning event type code block
{
"timestamp": "TIMESTAMP",
"poisoner_asset": "STRING",
"observing_asset": "STRING",
"poisoner_address": "STRING",
"protocol": "STRING",
"queried_hostname": "STRING",
"source_json": {
"protocol": "STRING",
"poisonerAddresses": [
"STRING"
],
"queriedHostname": "STRING",
"agentHostname": "STRING"
},
"r7_context": {
"poisoner_asset": {
"type": "STRING",
"rrn": "RRN",
"name": "STRING"
},
"observing_asset": {
"type": "STRING",
"rrn": "RRN",
"name": "STRING"
}
},
"entry_id": "STRING"
}Local Service Creation
local_service_creation
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| asset | STRING |
| service_name | STRING |
| service_cmdline | STRING |
| source_json | |
| sourceName | STRING |
| insertionStrings | STRING |
| eventCode | STRING |
| computerName | STRING |
| sid | STRING |
| isDomainController | STRING |
| eventData | STRING |
| timeWritten | TIMESTAMP |
| r7_context | |
| asset | |
| type | STRING |
| rrn | RRN |
| name | STRING |
| entry_id | STRING |
Endpoint Activity, local_service_creation event type code block
{
"timestamp": "TIMESTAMP",
"asset": "STRING",
"service_name": "STRING",
"service_cmdline": "STRING",
"source_json": {
"sourceName": "STRING",
"insertionStrings": [
"STRING",
"STRING",
"STRING",
"STRING",
""
],
"eventCode": STRING,
"computerName": "STRING",
"sid": "STRING",
"isDomainController": STRING,
"eventData": STRING,
"timeWritten": "TIMESTAMP"
},
"r7_context": {
"asset": {
"type": "STRING",
"rrn": "RRN",
"name": "STRING"
}
},
"entry_id": "STRING"
}Sysmon
sysmon
SIEM (InsightIDR) collects these Sysmon event IDs from Microsoft:
- Network Connection
- Create Remote Thread
- Process Access
- Registry Event
- Process Tampering
Depending on which event ID is collected, the shape of the event object will differ. The event object is defined by Microsoft and passed to SIEM (InsightIDR). To learn more, read Microsoft’s documentation at: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Note: geoip lookups will only be populated for events with external IP addresses, for example, Network Connection events.
| Key | Value format |
|---|---|
| hostname | STRING |
| dns_domain | STRING |
| r7_hostid | STRING |
| os_type | STRING |
| event_id | NUMBER |
| event_name | STRING |
| event_provider | STRING |
| event | OBJECT |
| r7_context | OBJECT |
| geoip_ip | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| entry_id | STRING |
Sysmon event type code block
{
"hostname": "STRING",
"dns_domain": "STRING",
"r7_hostid": "STRING",
"os_type": "STRING",
"event_id": "NUMBER",
"event_name": "STRING",
"event_provider": "STRING",
"event": "OBJECT",
"r7_context": "OBJECT",
"geoip_ip": "STRING",
"geoip_city": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"geoip_region": "STRING",
"entry_id": "STRING"
}Endpoint Health
Job Status
job_status
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| job | STRING |
| hostname | STRING |
| status | STRING |
| message | STRING |
| invocation_id | STRING |
| events_reported | NUMERIC |
| queued_time | TIMESTAMP |
| started_time | TIMESTAMP |
| finished_time | TIMESTAMP |
| r7_context | |
| asset | |
| rrn | STRING |
| name | STRING |
| type | STRING |
| r7_hostid | STRING |
| source_json | OBJECT |
| entry_id | STRING |
Endpoint Health, job_status event type code block
{
"timestamp": "TIMESTAMP",
"job": "STRING",
"hostname": "STRING",
"status": "STRING",
"message": "STRING",
"invocation_id": "STRING",
"events_reported": "STRING",
"queued_time": "TIMESTAMP",
"started_time": "TIMESTAMP",
"finished_time": "TIMESTAMP",
"r7_context": {
"asset": {
"rrn": "STRING",
"name": "STRING",
"type": "STRING",
}
}
"r7_hostid": "STRING",
"source_json": "OBJECT",
"entry_id": "STRING"
}File Access Activity
file_access
| Key | Value format |
|---|---|
| access_types | STRING |
| account | STRING |
| file_extension | STRING |
| file_name | STRING |
| file_path | STRING |
| file_share | STRING |
| service | STRING |
| source_address | STRING |
| source_asset | STRING |
| source_json | {} |
| target_address | STRING |
| timestamp | TIMESTAMP |
| user | STRING |
| entry_id | STRING |
File Access Activity event type code block
{
"access_types": "STRING",
"account": "STRING",
"file_extension": "STRING",
"file_name": "STRING",
"file_path": "STRING",
"file_share": "STRING",
"service": "STRING",
"source_address": "STRING",
"source_asset": "STRING",
"source_json": {},
"target_address": "STRING"
"timestamp": "TIMESTAMP",
"user": "STRING",
"entry_id": "STRING"
}File Modification Activity
file_modification
| Key | Value format |
|---|---|
| account | STRING |
| asset | STRING |
| asset_address | STRING |
| asset_os_family | STRING |
| file_event | STRING |
| file_extension | STRING |
| file_name | STRING |
| file_path | STRING |
| process | STRING |
| process_id | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
| entry_id | STRING |
File Modification Activity event type code block
{
"account": "STRING",
"asset": "STRING",
"asset_address": "STRING",
"asset_os_family": "STRING"
"file_event": "STRING",
"file_extension": "STRING",
"file_name": "STRING",
"file_path": "STRING",
"process": "STRING",
"process_id": "STRING",
"source_json": {},
"timestamp": "TIMESTAMP",
"user": "STRING",
"entry_id": "STRING"
}Firewall Activity
firewall
| Key | Value format |
|---|---|
| asset | STRING |
| community_id | STRING |
| connection_status | STRING |
| custom_data | {} |
| destination_address | STRING |
| destination_port | STRING |
| direction | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| incoming_bytes | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| outgoing_bytes | STRING |
| source_address | STRING |
| source_data | STRING |
| source_json | {} |
| source_port | STRING |
| transport_protocol | STRING |
| timestamp | TIMESTAMP |
| user | STRING |
| observation_count | NUMERIC |
| first_observed_time | TIMESTAMP |
| last_observed_time | TIMESTAMP |
| entry_id | STRING |
This event type contains deduplicated data.
Firewall Activity event type code block
{
"asset": "STRING",
"community_id": "STRING",
"connection_status": "STRING",
"custom_data": {},
"destination_address": "STRING"
"destination_port": "STRING",
"direction": "STRING",
"geoip_city": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"geoip_region": "STRING",
"incoming_bytes": "STRING",
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"outgoing_bytes": "STRING",
"source_address": "STRING",
"source_data": "STRING",
"source_json": {},
"source_port": "STRING",
"transport_protocol": "STRING",
"timestamp": "TIMESTAMP",
"user": "STRING",
"observation_count": "NUMERIC",
"first_observed_time": "TIMESTAMP",
"last_observed_time": "TIMESTAMP",
"entry_id": "STRING"
}Host To IP Observations
host_name_to_ip
| Key | Value format |
|---|---|
| account | STRING |
| account_domain | STRING |
| action | STRING |
| asset | STRING |
| client_mac | STRING |
| custom_data | {} |
| host | STRING |
| ip | STRING |
| r7_context | |
| host | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_data | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
| entry_id | STRING |
Host to IP event type code block
{
"account": "STRING",
"account_domain": "STRING",
"action": "STRING",
"asset": "STRING",
"client_mac": "STRING",
"custom_data": {},
"host": "STRING",
"ip": "STRING",
"observation_status": "STRING"
"r7_context": {
"host": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"source_data": "STRING",
"source_json": {},
"timestamp": "TIMESTAMP",
"user": "STRING",
"entry_id": "STRING"
}IDS Alert
ids
| Key | Value format |
|---|---|
| asset | STRING |
| category | STRING |
| community_id | STRING |
| description | STRING |
| destination_bytes | STRING |
| destination_ip | STRING |
| destination_port | STRING |
| destination_packet_count | STRING |
| ids_app_protocol | STRING |
| ids_app_protocol_info | STRING |
| ja3 | |
| hash | STRING |
| string | STRING |
| ja3s | |
| hash | STRING |
| string | STRING |
| serial | STRING |
| subject | STRING |
| version | STRING |
| issuerdn | STRING |
| notafter | STRING |
| notbefore | STRING |
| fingerprint | STRING |
| source_data | STRING |
| source_json | STRING |
| timestamp | STRING |
| ids_flow_initiated | TIMESTAMP |
| protocol | STRING |
| severity | STRING |
| signature | STRING |
| signature_revision | STRING |
| source_bytes | STRING |
| source_ip | STRING |
| source_packet_count | STRING |
| source_port | STRING |
| timestamp | TIMESTAMP |
| total_bytes | STRING |
| total_packet_count | STRING |
| user | STRING |
| entry_id | STRING |
IDS Alert event type code block
{
"asset": "STRING",
"category": "STRING",
"community_id": "STRING",
"description": "STRING",
"destination_bytes": "STRING",
"destination_ip": "STRING",
"destination_port": "STRING",
"destination_packet_count": "STRING"
"ids_app_protocol": "STRING",
"ids_app_protocol_info": {
"ja3": {
"hash": "STRING",
"string": "STRING"
},
"ja3s": {
"hash": "STRING",
"string": "STRING"
},
"serial": "STRING",
"subject": "STRING",
"version": "STRING",
"issuerdn": "STRING",
"notafter": "STRING",
"notbefore": "STRING",
"fingerprint": "STRING"
},
"ids_flow_initiated": "TIMESTAMP",
"protocol": "STRING",
"severity": "STRING",
"signature": "STRING",
"signature_revision": "STRING",
"source_bytes": "STRING",
"source_ip": "STRING",
"source_packet_count": "STRING",
"source_port": "STRING",
"timestamp": "TIMESTAMP",
"total_bytes": "STRING",
"total_packet_count": "STRING",
"user": "STRING",
"entry_id": "STRING"
}Ingress Authentication
ingress_auth
| Key | Value format |
|---|---|
| account | STRING |
| authentication_target | STRING |
| custom_data | {} |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| mobile_device_id | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| result | STRING |
| service | STRING |
| service_address | STRING |
| source_data | STRING |
| source_ip | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
| user_agent | STRING |
| user_domain | STRING |
| entry_id | STRING |
Ingress Authentication event type code block
{
"account": "STRING",
"authentication_target": "STRING"
"custom_data": {},
"geoip_city": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"geoip_region": "STRING",
"mobile_device_id": "STRING",
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"result": "STRING",
"service": "STRING",
"service_address": "STRING",
"source_data": "STRING",
"source_ip": "STRING",
"source_json": {},
"timestamp": "TIMESTAMP",
"user": "STRING",
"user_agent": "STRING",
"user_domain": "STRING",
"entry_id": "STRING"
}Network Flow
flow
| Key | Value format |
|---|---|
| app_protocol | STRING |
| app_protocol_description | STRING |
| community_id | STRING |
| destination_address | STRING |
| destination_asset | STRING |
| destination_bytes | STRING |
| destination_packet_count | STRING |
| destination_port | STRING |
| destination_user | STRING |
| direction | STRING |
| first_packet_time | TIMESTAMP |
| flow_initiated | TIMESTAMP |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| mobile_device_id | STRING |
| last_packet_time | TIMESTAMP |
| r7_context | |
| source_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_address | STRING |
| source_asset | STRING |
| source_bytes | STRING |
| source_port | STRING |
| source_json | STRING |
| source_packet_count | TIMESTAMP |
| source_user | STRING |
| timestamp | TIMESTAMP |
| total_bytes | STRING |
| total_packet_count | STRING |
| transport_protocol | STRING |
| entry_id | STRING |
Network Flow event type code block
{
"app_protocol": "STRING",
"app_protocol_description": "STRING",
"community_id": "STRING",
"destination_address": "STRING",
"destination_asset": "STRING",
"destination_bytes": "STRING",
"destination_packet_count": "STRING"
"destination_port": "STRING",
"destination_user": "STRING",
"direction": "STRING",
"first_packet_time": "TIMESTAMP",
"flow_initiated": "TIMESTAMP",
"geoip_city": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"geoip_region": "STRING",
"last_packet_time": "TIMESTAMP",
"r7_context": {
"source_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"source_asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"destination_user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"destination_asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"source_address": "STRING",
"source_asset": "STRING",
"source_bytes": "STRING",
"source_port": "STRING",
"source_packet_count": "STRING",
"source_user": "STRING",
"timestamp": "TIMESTAMP",
"total_bytes": "STRING",
"total_packet_count": "STRING",
"transport_protocol": "STRING",
"entry_id": "STRING"
}SSO
sso
| Key | Value format |
|---|---|
| user | STRING |
| account | STRING |
| service | STRING |
| source_ip | STRING |
| timestamp | TIMESTAMP |
| geoip_city | STRING |
| source_json | {} |
| geoip_region | STRING |
| sso_provider | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| entry_id | STRING |
SSO event type code block
{
"user": "STRING",
"account": "STRING",
"service": "STRING",
"source_ip": "STRING",
"timestamp": "TIMESTAMP",
"geoip_city": "STRING",
"source_json": {},
"geoip_region": "STRING",
"sso_provider": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"entry_id": "STRING"
}Third Party Alert
third_party_alert
| Key | Value format |
|---|---|
| alert_id | STRING |
| asset | STRING |
| custom_data | {} |
| description | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| product | STRING |
| severity | STRING |
| source_data | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| title | STRING |
| type | STRING |
| user | STRING |
| entry_id | STRING |
Third Party Alert event type code block
{
"alert_id": "UUID",
"asset": "STRING",
"custom_data": {},
"description": "STRING",
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"product": "STRING",
"severity": "STRING",
"source_data": "STRING",
"source_json": {}
"timestamp": "TIMESTAMP",
"title": "STRING",
"type": "STRING",
"user": "STRING",
"entry_id": "STRING"
}Virus Alert
virus
| Key | Value format |
|---|---|
| account | STRING |
| action | STRING |
| action_status | STRING |
| asset | STRING |
| custom_data | {} |
| error_code | STRING |
| error_description | STRING |
| file_path | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| risk | STRING |
| source_address | STRING |
| source_data | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
| user_domain | STRING |
| entry_id | STRING |
Virus Alert event type code block
{
"account": "STRING",
"action": "STRING",
"action_status": "STRING",
"asset": "STRING",
"custom_data": {},
"error_code": "STRING",
"error_description": "STRING"
"file_path": "STRING",
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"risk": "STRING",
"source_address": "STRING",
"source_data": "STRING",
"source_json": {},
"timestamp": "TIMESTAMP",
"user": "STRING",
"user_domain": "STRING",
"entry_id": "STRING"
}WAF Activity
waf_activity
| Key | Value Format |
|---|---|
| timestamp | TIMESTAMP |
| is_blocked | STRING |
| rule | STRING |
| mapped_severity | STRING |
| product_severity | STRING |
| source_address | STRING |
| source_port | STRING |
| geoip_organization | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_city | STRING |
| geoip_region | STRING |
| server_address | STRING |
| http_method | STRING |
| url_path | STRING |
| url_query | STRING |
| destination_port | STRING |
| incoming_bytes | STRING |
| outgoing_bytes | STRING |
| user_agent | STRING |
| referer | STRING |
| forwarded_for | STRING |
| auth_user | STRING |
| entry_id | STRING |
WAF Activity event type code block
{
"timestamp": "TIMESTAMP",
"is_blocked": "STRING",
"rule": "STRING",
"mapped_severity": "STRING",
"product_severity": "STRING",
"source_address": "STRING",
"source_port": "STRING",
"geoip_organization": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_city": "STRING",
"geoip_region": "STRING",
"server_address": "STRING",
"http_method": "STRING",
"url_path": "STRING",
"url_query": "STRING",
"destination_port": "STRING",
"incoming_bytes": "STRING",
"outgoing_bytes": "STRING",
"user_agent": "STRING",
"referer": "STRING",
"forwarded_for": "STRING",
"auth_user": "STRING",
"entry_id": "STRING"
}Web Proxy Activity
web_proxy
| Key | Value format |
|---|---|
| asset | STRING |
| custom_data | {} |
| destination_ip | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| http_method | STRING |
| incoming_bytes | STRING |
| is_blocked | STRING |
| outgoing_bytes | STRING |
| public_suffix | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| scheme | STRING |
| source_data | STRING |
| source_ip | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| top_private_domain | STRING |
| url | STRING |
| url_host | STRING |
| url_path | STRING |
| url_query | STRING |
| user | STRING |
| observation_count | NUMERIC |
| first_observed_time | TIMESTAMP |
| last_observed_time | TIMESTAMP |
| user_agent | STRING |
| user_domain | STRING |
| entry_id | STRING |
This event type contains deduplicated data.
Web Proxy event type code block
{
"asset": "STRING",
"custom_data": {},
"destination_ip": "STRING",
"geoip_city": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_organization": "STRING",
"geoip_region": "STRING",
"http_method": "STRING",
"incoming_bytes": "STRING",
"is_blocked": "STRING",
"outgoing_bytes": "STRING",
"public_suffix": "STRING",
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"asset": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
}
},
"scheme": "STRING",
"source_data": "STRING",
"source_ip": "STRING",
"source_json": {},
"timestamp": "TIMESTAMP",
"top_private_domain": "STRING"
"url": "STRING",
"url_host": "STRING",
"url_path": "STRING",
"url_query": "STRING",
"user": "STRING",
"observation_count": "NUMERIC",
"first_observed_time": "TIMESTAMP",
"last_observed_time": "TIMESTAMP",
"user_agent": "STRING",
"user_domain": "STRING",
"entry_id": "STRING"
}Web Server Access
web_server_access
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| source_address | STRING |
| geoip_organization | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_city | STRING |
| geoip_region | STRING |
| server_address | STRING |
| url_host | STRING |
| http_method | STRING |
| url_path | STRING |
| response_status | STRING |
| outgoing_bytes | STRING |
| user_agent | STRING |
| referer | STRING |
| forwarded_for | STRING |
| auth_user | STRING |
| entry_id | STRING |
Web Server Access event type code block
{
"timestamp": "TIMESTAMP",
"source_address": STRING,
"geoip_organization": "STRING",
"geoip_country_code": "STRING",
"geoip_country_name": "STRING",
"geoip_city": "STRING",
"geoip_region": "STRING",
"server_address": "STRING",
"url_host": "STRING",
"http_method": "STRING",
"url_path": "STRING",
"response_status": "STRING",
"outgoing_bytes": "STRING",
"user_agent": "STRING",
"referer": "STRING",
"forwarded_for": "STRING",
"auth_user": "STRING",
"entry_id": "STRING"
}Windows Event Log Deletion
log_deletion
| Key | Value format |
|---|---|
| time | TIMESTAMP |
| user | STRING |
| user_domain | STRING |
| account | STRING |
| asset | STRING |
| asset_address | STRING |
| windows_event_code | NUMBER |
| source_data | STRING |
| source_json | |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| entry_id | STRING |
Windows Event Log deletion event type code block
{
"timestamp": "TIMESTAMP",
"user": "STRING",
"user_domain": "STRING",
"account": "STRING",
"asset": "STRING",
"asset_address": "STRING",
"windows_event_code": "NUMBER",
"source_data": "STRING",
"source_json": {},
"r7_context": {
"user": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING",
"domain": "STRING"
},
"account": {
"rrn": "RRN",
"name": "STRING",
"type": "STRING"
},
"asset": {
"rrn": "STRING",
"name": "STRING",
"type": "STRING"
}
},
"entry_id": "STRING"
}Detection-based Event Types
Anomalous Data Transfer
anomalous_data_transfer
| Key | Value format |
|---|---|
| analysis_hour_destinations | |
| city | STRING |
| dst_addr | NUMERIC |
| dst_port | NUMERIC |
| hostname | STRING |
| cert_name | STRING |
| country_code | STRING |
| organization | STRING |
| dst_bytes_human | STRING |
| src_bytes_human | STRING |
| dst_bytes_percent | NUMERIC |
| src_bytes_percent | NUMERIC |
| analysis_hour_stats | |
| bytes_ratio | STRING |
| num_destinations | NUMERIC |
| incoming_bytes_human | STRING |
| outgoing_bytes_human | STRING |
| num_destination_ports | NUMERIC |
| date | TIMESTAMP |
| source_addresses | STRING |
| source_asset_id | UUID |
| source_asset_names | STRING |
Anomalous Data Transfer event type code block
{
"analysis_hour_destinations": [
{
"city": "STRING",
"dst_addr": "NUMERIC",
"dst_port": "NUMERIC",
"hostname": "STRING",
"cert_name": "STRING",
"country_code": "STRING",
"organization": "STRING",
"dst_bytes_human": "STRING",
"src_bytes_human": "STRING",
"dst_bytes_percent": "NUMERIC",
"src_bytes_percent": "NUMERIC"
}
]
"analysis_hour_stats": {
"bytes_ratio": "STRING",
"num_destinations": "NUMERIC",
"incoming_bytes_human": "STRING",
"outgoing_bytes_human": "STRING",
"num_destination_ports": "NUMERIC"
},
"date": "TIMESTAMP",
"source_addresses": "STRING",
"source_asset_id": "UUID",
"source_asset_names": "STRING"
}Audit Logs
The audit logs in SIEM (InsightIDR) capture a chronological view of every action taken in relation to a particular object, such as an investigation or alert. You can use Log Search to query the data in the audit log.
The log sets that are generated from the audit log originate from actions taken in SIEM (InsightIDR), rather than event sources or the Rapid7 Agent (Insight Agent), so they don’t have event types.
SIEM (InsightIDR) Investigations
| Key | Value format |
|---|---|
| time | TIMESTAMP |
| action | STRING |
| audit_id | STRING |
| result | STRING |
| access_method | STRING |
| product | STRING |
| description | STRING |
| service_info | |
| investigation_id | STRING |
| investigation_name | STRING |
| investigation_type | STRING |
| investigation_rrn | RRN |
| assigned_user | STRING |
| assignee_login | STRING |
| request | |
| user_agent | STRING |
| geo_location | |
| organization | STRING |
| country_name | STRING |
| country_code | STRING |
| city | STRING |
| region | STRING |
| ip | STRING |
| user | |
| STRING | |
| name | STRING |
SIEM (InsightIDR) Investigations code block
{
"time": "TIMESTAMP",
"action": "STRING",
"audit_id": "STRING",
"result": "STRING",
"access_method": "STRING",
"product": "STRING",
"description": "STRING",
"service_info": {
"investigation_id": "STRING",
"investigation_name": "STRING",
"investigation_type": "STRING",
"investigation_rrn": "RRN",
"assigned_user": "STRING",
"assignee_login": "STRING"
},
"request": {
"user_agent": "STRING",
"geo_location": {
"organization": "STRING",
"country_name": "STRING",
"country_code": "STRING",
"city": "STRING",
"region": "STRING"
},
"ip": "STRING",
"user": {
"email": "STRING",
"name": "STRING"
}
}
}SIEM (InsightIDR) Alerts
| Key | Value format |
|---|---|
| time | TIMESTAMP |
| action | STRING |
| audit_id | STRING |
| result | STRING |
| access_method | STRING |
| product | STRING |
| description | STRING |
| service_info | |
| alert_id | STRING |
| alert_name | STRING |
| alert_type | STRING |
| alert_rrn | RRN |
| assigned_user | STRING |
| assignee_login | STRING |
| request | |
| user_agent | STRING |
| geo_location | |
| organization | STRING |
| country_name | STRING |
| country_code | STRING |
| city | STRING |
| region | STRING |
| ip | STRING |
| user | |
| STRING | |
| name | STRING |
SIEM (InsightIDR) Alerts code block
{
"time": "TIMESTAMP",
"action": "STRING",
"audit_id": "STRING",
"result": "STRING",
"access_method": "STRING",
"product": "STRING",
"description": "STRING",
"service_info": {
"alert_id": "STRING",
"alert_name": "STRING",
"alert_type": "STRING",
"alert_rrn": "RRN",
"assigned_user": "STRING",
"assignee_login": "STRING"
},
"request": {
"user_agent": "STRING",
"geo_location": {
"organization": "STRING",
"country_name": "STRING",
"country_code": "STRING",
"city": "STRING",
"region": "STRING"
},
"ip": "STRING",
"user": {
"email": "STRING",
"name": "STRING"
}
}
}